mirror of
https://github.com/golang/net.git
synced 2026-03-31 10:27:08 +09:00
dd0b200aed
The x/net go.mod now depends on go1.23. Change-Id: I24960949d84753f84f75fbdc97b7dfb92191a4d2 Reviewed-on: https://go-review.googlesource.com/c/net/+/664295 LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com> Reviewed-by: Jonathan Amsterdam <jba@google.com> Auto-Submit: Damien Neil <dneil@google.com>
540 lines
17 KiB
Go
540 lines
17 KiB
Go
// Copyright 2023 The Go Authors. All rights reserved.
|
|
// Use of this source code is governed by a BSD-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package quic
|
|
|
|
import (
|
|
"crypto"
|
|
"crypto/aes"
|
|
"crypto/cipher"
|
|
"crypto/sha256"
|
|
"crypto/tls"
|
|
"errors"
|
|
"hash"
|
|
|
|
"golang.org/x/crypto/chacha20"
|
|
"golang.org/x/crypto/chacha20poly1305"
|
|
"golang.org/x/crypto/cryptobyte"
|
|
"golang.org/x/crypto/hkdf"
|
|
)
|
|
|
|
var errInvalidPacket = errors.New("quic: invalid packet")
|
|
|
|
// headerProtectionSampleSize is the size of the ciphertext sample used for header protection.
|
|
// https://www.rfc-editor.org/rfc/rfc9001#section-5.4.2
|
|
const headerProtectionSampleSize = 16
|
|
|
|
// aeadOverhead is the difference in size between the AEAD output and input.
|
|
// All cipher suites defined for use with QUIC have 16 bytes of overhead.
|
|
const aeadOverhead = 16
|
|
|
|
// A headerKey applies or removes header protection.
|
|
// https://www.rfc-editor.org/rfc/rfc9001#section-5.4
|
|
type headerKey struct {
|
|
hp headerProtection
|
|
}
|
|
|
|
func (k headerKey) isSet() bool {
|
|
return k.hp != nil
|
|
}
|
|
|
|
func (k *headerKey) init(suite uint16, secret []byte) {
|
|
h, keySize := hashForSuite(suite)
|
|
hpKey := hkdfExpandLabel(h.New, secret, "quic hp", nil, keySize)
|
|
switch suite {
|
|
case tls.TLS_AES_128_GCM_SHA256, tls.TLS_AES_256_GCM_SHA384:
|
|
c, err := aes.NewCipher(hpKey)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
k.hp = &aesHeaderProtection{cipher: c}
|
|
case tls.TLS_CHACHA20_POLY1305_SHA256:
|
|
k.hp = chaCha20HeaderProtection{hpKey}
|
|
default:
|
|
panic("BUG: unknown cipher suite")
|
|
}
|
|
}
|
|
|
|
// protect applies header protection.
|
|
// pnumOff is the offset of the packet number in the packet.
|
|
func (k headerKey) protect(hdr []byte, pnumOff int) {
|
|
// Apply header protection.
|
|
pnumSize := int(hdr[0]&0x03) + 1
|
|
sample := hdr[pnumOff+4:][:headerProtectionSampleSize]
|
|
mask := k.hp.headerProtection(sample)
|
|
if isLongHeader(hdr[0]) {
|
|
hdr[0] ^= mask[0] & 0x0f
|
|
} else {
|
|
hdr[0] ^= mask[0] & 0x1f
|
|
}
|
|
for i := 0; i < pnumSize; i++ {
|
|
hdr[pnumOff+i] ^= mask[1+i]
|
|
}
|
|
}
|
|
|
|
// unprotect removes header protection.
|
|
// pnumOff is the offset of the packet number in the packet.
|
|
// pnumMax is the largest packet number seen in the number space of this packet.
|
|
func (k headerKey) unprotect(pkt []byte, pnumOff int, pnumMax packetNumber) (hdr, pay []byte, pnum packetNumber, _ error) {
|
|
if len(pkt) < pnumOff+4+headerProtectionSampleSize {
|
|
return nil, nil, 0, errInvalidPacket
|
|
}
|
|
numpay := pkt[pnumOff:]
|
|
sample := numpay[4:][:headerProtectionSampleSize]
|
|
mask := k.hp.headerProtection(sample)
|
|
if isLongHeader(pkt[0]) {
|
|
pkt[0] ^= mask[0] & 0x0f
|
|
} else {
|
|
pkt[0] ^= mask[0] & 0x1f
|
|
}
|
|
pnumLen := int(pkt[0]&0x03) + 1
|
|
pnum = packetNumber(0)
|
|
for i := 0; i < pnumLen; i++ {
|
|
numpay[i] ^= mask[1+i]
|
|
pnum = (pnum << 8) | packetNumber(numpay[i])
|
|
}
|
|
pnum = decodePacketNumber(pnumMax, pnum, pnumLen)
|
|
hdr = pkt[:pnumOff+pnumLen]
|
|
pay = numpay[pnumLen:]
|
|
return hdr, pay, pnum, nil
|
|
}
|
|
|
|
// headerProtection is the header_protection function as defined in:
|
|
// https://www.rfc-editor.org/rfc/rfc9001#section-5.4.1
|
|
//
|
|
// This function takes a sample of the packet ciphertext
|
|
// and returns a 5-byte mask which will be applied to the
|
|
// protected portions of the packet header.
|
|
type headerProtection interface {
|
|
headerProtection(sample []byte) (mask [5]byte)
|
|
}
|
|
|
|
// AES-based header protection.
|
|
// https://www.rfc-editor.org/rfc/rfc9001#section-5.4.3
|
|
type aesHeaderProtection struct {
|
|
cipher cipher.Block
|
|
scratch [aes.BlockSize]byte
|
|
}
|
|
|
|
func (hp *aesHeaderProtection) headerProtection(sample []byte) (mask [5]byte) {
|
|
hp.cipher.Encrypt(hp.scratch[:], sample)
|
|
copy(mask[:], hp.scratch[:])
|
|
return mask
|
|
}
|
|
|
|
// ChaCha20-based header protection.
|
|
// https://www.rfc-editor.org/rfc/rfc9001#section-5.4.4
|
|
type chaCha20HeaderProtection struct {
|
|
key []byte
|
|
}
|
|
|
|
func (hp chaCha20HeaderProtection) headerProtection(sample []byte) (mask [5]byte) {
|
|
counter := uint32(sample[3])<<24 | uint32(sample[2])<<16 | uint32(sample[1])<<8 | uint32(sample[0])
|
|
nonce := sample[4:16]
|
|
c, err := chacha20.NewUnauthenticatedCipher(hp.key, nonce)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
c.SetCounter(counter)
|
|
c.XORKeyStream(mask[:], mask[:])
|
|
return mask
|
|
}
|
|
|
|
// A packetKey applies or removes packet protection.
|
|
// https://www.rfc-editor.org/rfc/rfc9001#section-5.1
|
|
type packetKey struct {
|
|
aead cipher.AEAD // AEAD function used for packet protection.
|
|
iv []byte // IV used to construct the AEAD nonce.
|
|
}
|
|
|
|
func (k *packetKey) init(suite uint16, secret []byte) {
|
|
// https://www.rfc-editor.org/rfc/rfc9001#section-5.1
|
|
h, keySize := hashForSuite(suite)
|
|
key := hkdfExpandLabel(h.New, secret, "quic key", nil, keySize)
|
|
switch suite {
|
|
case tls.TLS_AES_128_GCM_SHA256, tls.TLS_AES_256_GCM_SHA384:
|
|
k.aead = newAESAEAD(key)
|
|
case tls.TLS_CHACHA20_POLY1305_SHA256:
|
|
k.aead = newChaCha20AEAD(key)
|
|
default:
|
|
panic("BUG: unknown cipher suite")
|
|
}
|
|
k.iv = hkdfExpandLabel(h.New, secret, "quic iv", nil, k.aead.NonceSize())
|
|
}
|
|
|
|
func newAESAEAD(key []byte) cipher.AEAD {
|
|
c, err := aes.NewCipher(key)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
aead, err := cipher.NewGCM(c)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
return aead
|
|
}
|
|
|
|
func newChaCha20AEAD(key []byte) cipher.AEAD {
|
|
var err error
|
|
aead, err := chacha20poly1305.New(key)
|
|
if err != nil {
|
|
panic(err)
|
|
}
|
|
return aead
|
|
}
|
|
|
|
func (k packetKey) protect(hdr, pay []byte, pnum packetNumber) []byte {
|
|
k.xorIV(pnum)
|
|
defer k.xorIV(pnum)
|
|
return k.aead.Seal(hdr, k.iv, pay, hdr)
|
|
}
|
|
|
|
func (k packetKey) unprotect(hdr, pay []byte, pnum packetNumber) (dec []byte, err error) {
|
|
k.xorIV(pnum)
|
|
defer k.xorIV(pnum)
|
|
return k.aead.Open(pay[:0], k.iv, pay, hdr)
|
|
}
|
|
|
|
// xorIV xors the packet protection IV with the packet number.
|
|
func (k packetKey) xorIV(pnum packetNumber) {
|
|
k.iv[len(k.iv)-8] ^= uint8(pnum >> 56)
|
|
k.iv[len(k.iv)-7] ^= uint8(pnum >> 48)
|
|
k.iv[len(k.iv)-6] ^= uint8(pnum >> 40)
|
|
k.iv[len(k.iv)-5] ^= uint8(pnum >> 32)
|
|
k.iv[len(k.iv)-4] ^= uint8(pnum >> 24)
|
|
k.iv[len(k.iv)-3] ^= uint8(pnum >> 16)
|
|
k.iv[len(k.iv)-2] ^= uint8(pnum >> 8)
|
|
k.iv[len(k.iv)-1] ^= uint8(pnum)
|
|
}
|
|
|
|
// A fixedKeys is a header protection key and fixed packet protection key.
|
|
// The packet protection key is fixed (it does not update).
|
|
//
|
|
// Fixed keys are used for Initial and Handshake keys, which do not update.
|
|
type fixedKeys struct {
|
|
hdr headerKey
|
|
pkt packetKey
|
|
}
|
|
|
|
func (k *fixedKeys) init(suite uint16, secret []byte) {
|
|
k.hdr.init(suite, secret)
|
|
k.pkt.init(suite, secret)
|
|
}
|
|
|
|
func (k fixedKeys) isSet() bool {
|
|
return k.hdr.hp != nil
|
|
}
|
|
|
|
// protect applies packet protection to a packet.
|
|
//
|
|
// On input, hdr contains the packet header, pay the unencrypted payload,
|
|
// pnumOff the offset of the packet number in the header, and pnum the untruncated
|
|
// packet number.
|
|
//
|
|
// protect returns the result of appending the encrypted payload to hdr and
|
|
// applying header protection.
|
|
func (k fixedKeys) protect(hdr, pay []byte, pnumOff int, pnum packetNumber) []byte {
|
|
pkt := k.pkt.protect(hdr, pay, pnum)
|
|
k.hdr.protect(pkt, pnumOff)
|
|
return pkt
|
|
}
|
|
|
|
// unprotect removes packet protection from a packet.
|
|
//
|
|
// On input, pkt contains the full protected packet, pnumOff the offset of
|
|
// the packet number in the header, and pnumMax the largest packet number
|
|
// seen in the number space of this packet.
|
|
//
|
|
// unprotect removes header protection from the header in pkt, and returns
|
|
// the unprotected payload and packet number.
|
|
func (k fixedKeys) unprotect(pkt []byte, pnumOff int, pnumMax packetNumber) (pay []byte, num packetNumber, err error) {
|
|
hdr, pay, pnum, err := k.hdr.unprotect(pkt, pnumOff, pnumMax)
|
|
if err != nil {
|
|
return nil, 0, err
|
|
}
|
|
pay, err = k.pkt.unprotect(hdr, pay, pnum)
|
|
if err != nil {
|
|
return nil, 0, err
|
|
}
|
|
return pay, pnum, nil
|
|
}
|
|
|
|
// A fixedKeyPair is a read/write pair of fixed keys.
|
|
type fixedKeyPair struct {
|
|
r, w fixedKeys
|
|
}
|
|
|
|
func (k *fixedKeyPair) discard() {
|
|
*k = fixedKeyPair{}
|
|
}
|
|
|
|
func (k *fixedKeyPair) canRead() bool {
|
|
return k.r.isSet()
|
|
}
|
|
|
|
func (k *fixedKeyPair) canWrite() bool {
|
|
return k.w.isSet()
|
|
}
|
|
|
|
// An updatingKeys is a header protection key and updatable packet protection key.
|
|
// updatingKeys are used for 1-RTT keys, where the packet protection key changes
|
|
// over the lifetime of a connection.
|
|
// https://www.rfc-editor.org/rfc/rfc9001#section-6
|
|
type updatingKeys struct {
|
|
suite uint16
|
|
hdr headerKey
|
|
pkt [2]packetKey // current, next
|
|
nextSecret []byte // secret used to generate pkt[1]
|
|
}
|
|
|
|
func (k *updatingKeys) init(suite uint16, secret []byte) {
|
|
k.suite = suite
|
|
k.hdr.init(suite, secret)
|
|
// Initialize pkt[1] with secret_0, and then call update to generate secret_1.
|
|
k.pkt[1].init(suite, secret)
|
|
k.nextSecret = secret
|
|
k.update()
|
|
}
|
|
|
|
// update performs a key update.
|
|
// The current key in pkt[0] is discarded.
|
|
// The next key in pkt[1] becomes the current key.
|
|
// A new next key is generated in pkt[1].
|
|
func (k *updatingKeys) update() {
|
|
k.nextSecret = updateSecret(k.suite, k.nextSecret)
|
|
k.pkt[0] = k.pkt[1]
|
|
k.pkt[1].init(k.suite, k.nextSecret)
|
|
}
|
|
|
|
func updateSecret(suite uint16, secret []byte) (nextSecret []byte) {
|
|
h, _ := hashForSuite(suite)
|
|
return hkdfExpandLabel(h.New, secret, "quic ku", nil, len(secret))
|
|
}
|
|
|
|
// An updatingKeyPair is a read/write pair of updating keys.
|
|
//
|
|
// We keep two keys (current and next) in both read and write directions.
|
|
// When an incoming packet's phase matches the current phase bit,
|
|
// we unprotect it using the current keys; otherwise we use the next keys.
|
|
//
|
|
// When updating=false, outgoing packets are protected using the current phase.
|
|
//
|
|
// An update is initiated and updating is set to true when:
|
|
// - we decide to initiate a key update; or
|
|
// - we successfully unprotect a packet using the next keys,
|
|
// indicating the peer has initiated a key update.
|
|
//
|
|
// When updating=true, outgoing packets are protected using the next phase.
|
|
// We do not change the current phase bit or generate new keys yet.
|
|
//
|
|
// The update concludes when we receive an ACK frame for a packet sent
|
|
// with the next keys. At this time, we set updating to false, flip the
|
|
// phase bit, and update the keys. This permits us to handle up to 1-RTT
|
|
// of reordered packets before discarding the previous phase's keys after
|
|
// an update.
|
|
type updatingKeyPair struct {
|
|
phase uint8 // current key phase (r.pkt[0], w.pkt[0])
|
|
updating bool
|
|
authFailures int64 // total packet unprotect failures
|
|
minSent packetNumber // min packet number sent since entering the updating state
|
|
minReceived packetNumber // min packet number received in the next phase
|
|
updateAfter packetNumber // packet number after which to initiate key update
|
|
r, w updatingKeys
|
|
}
|
|
|
|
func (k *updatingKeyPair) init() {
|
|
// 1-RTT packets until the first key update.
|
|
//
|
|
// We perform the first key update early in the connection so a peer
|
|
// which does not support key updates will fail rapidly,
|
|
// rather than after the connection has been long established.
|
|
//
|
|
// The QUIC interop runner "keyupdate" test requires that the client
|
|
// initiate a key rotation early in the connection. Increasing this
|
|
// value may cause interop test failures; if we do want to increase it,
|
|
// we should either skip the keyupdate test or provide a way to override
|
|
// the setting in interop tests.
|
|
k.updateAfter = 100
|
|
}
|
|
|
|
func (k *updatingKeyPair) canRead() bool {
|
|
return k.r.hdr.hp != nil
|
|
}
|
|
|
|
func (k *updatingKeyPair) canWrite() bool {
|
|
return k.w.hdr.hp != nil
|
|
}
|
|
|
|
// handleAckFor finishes a key update after receiving an ACK for a packet in the next phase.
|
|
func (k *updatingKeyPair) handleAckFor(pnum packetNumber) {
|
|
if k.updating && pnum >= k.minSent {
|
|
k.updating = false
|
|
k.phase ^= keyPhaseBit
|
|
k.r.update()
|
|
k.w.update()
|
|
}
|
|
}
|
|
|
|
// needAckEliciting reports whether we should send an ack-eliciting packet in the next phase.
|
|
// The first packet sent in a phase is ack-eliciting, since the peer must acknowledge a
|
|
// packet in the new phase for us to finish the update.
|
|
func (k *updatingKeyPair) needAckEliciting() bool {
|
|
return k.updating && k.minSent == maxPacketNumber
|
|
}
|
|
|
|
// protect applies packet protection to a packet.
|
|
// Parameters and returns are as for fixedKeyPair.protect.
|
|
func (k *updatingKeyPair) protect(hdr, pay []byte, pnumOff int, pnum packetNumber) []byte {
|
|
var pkt []byte
|
|
if k.updating {
|
|
hdr[0] |= k.phase ^ keyPhaseBit
|
|
pkt = k.w.pkt[1].protect(hdr, pay, pnum)
|
|
k.minSent = min(pnum, k.minSent)
|
|
} else {
|
|
hdr[0] |= k.phase
|
|
pkt = k.w.pkt[0].protect(hdr, pay, pnum)
|
|
if pnum >= k.updateAfter {
|
|
// Initiate a key update, starting with the next packet we send.
|
|
//
|
|
// We do this after protecting the current packet
|
|
// to allow Conn.appendFrames to ensure that the first packet sent
|
|
// in the new phase is ack-eliciting.
|
|
k.updating = true
|
|
k.minSent = maxPacketNumber
|
|
k.minReceived = maxPacketNumber
|
|
// The lowest confidentiality limit for a supported AEAD is 2^23 packets.
|
|
// https://www.rfc-editor.org/rfc/rfc9001#section-6.6-5
|
|
//
|
|
// Schedule our next update for half that.
|
|
k.updateAfter += (1 << 22)
|
|
}
|
|
}
|
|
k.w.hdr.protect(pkt, pnumOff)
|
|
return pkt
|
|
}
|
|
|
|
// unprotect removes packet protection from a packet.
|
|
// Parameters and returns are as for fixedKeyPair.unprotect.
|
|
func (k *updatingKeyPair) unprotect(pkt []byte, pnumOff int, pnumMax packetNumber) (pay []byte, pnum packetNumber, err error) {
|
|
hdr, pay, pnum, err := k.r.hdr.unprotect(pkt, pnumOff, pnumMax)
|
|
if err != nil {
|
|
return nil, 0, err
|
|
}
|
|
// To avoid timing signals that might indicate the key phase bit is invalid,
|
|
// we always attempt to unprotect the packet with one key.
|
|
//
|
|
// If the key phase bit matches and the packet number doesn't come after
|
|
// the start of an in-progress update, use the current phase.
|
|
// Otherwise, use the next phase.
|
|
if hdr[0]&keyPhaseBit == k.phase && (!k.updating || pnum < k.minReceived) {
|
|
pay, err = k.r.pkt[0].unprotect(hdr, pay, pnum)
|
|
} else {
|
|
pay, err = k.r.pkt[1].unprotect(hdr, pay, pnum)
|
|
if err == nil {
|
|
if !k.updating {
|
|
// The peer has initiated a key update.
|
|
k.updating = true
|
|
k.minSent = maxPacketNumber
|
|
k.minReceived = pnum
|
|
} else {
|
|
k.minReceived = min(pnum, k.minReceived)
|
|
}
|
|
}
|
|
}
|
|
if err != nil {
|
|
k.authFailures++
|
|
if k.authFailures >= aeadIntegrityLimit(k.r.suite) {
|
|
return nil, 0, localTransportError{code: errAEADLimitReached}
|
|
}
|
|
return nil, 0, err
|
|
}
|
|
return pay, pnum, nil
|
|
}
|
|
|
|
// aeadIntegrityLimit returns the integrity limit for an AEAD:
|
|
// The maximum number of received packets that may fail authentication
|
|
// before closing the connection.
|
|
//
|
|
// https://www.rfc-editor.org/rfc/rfc9001#section-6.6-4
|
|
func aeadIntegrityLimit(suite uint16) int64 {
|
|
switch suite {
|
|
case tls.TLS_AES_128_GCM_SHA256, tls.TLS_AES_256_GCM_SHA384:
|
|
return 1 << 52
|
|
case tls.TLS_CHACHA20_POLY1305_SHA256:
|
|
return 1 << 36
|
|
default:
|
|
panic("BUG: unknown cipher suite")
|
|
}
|
|
}
|
|
|
|
// https://www.rfc-editor.org/rfc/rfc9001#section-5.2-2
|
|
var initialSalt = []byte{0x38, 0x76, 0x2c, 0xf7, 0xf5, 0x59, 0x34, 0xb3, 0x4d, 0x17, 0x9a, 0xe6, 0xa4, 0xc8, 0x0c, 0xad, 0xcc, 0xbb, 0x7f, 0x0a}
|
|
|
|
// initialKeys returns the keys used to protect Initial packets.
|
|
//
|
|
// The Initial packet keys are derived from the Destination Connection ID
|
|
// field in the client's first Initial packet.
|
|
//
|
|
// https://www.rfc-editor.org/rfc/rfc9001#section-5.2
|
|
func initialKeys(cid []byte, side connSide) fixedKeyPair {
|
|
initialSecret := hkdf.Extract(sha256.New, cid, initialSalt)
|
|
var clientKeys fixedKeys
|
|
clientSecret := hkdfExpandLabel(sha256.New, initialSecret, "client in", nil, sha256.Size)
|
|
clientKeys.init(tls.TLS_AES_128_GCM_SHA256, clientSecret)
|
|
var serverKeys fixedKeys
|
|
serverSecret := hkdfExpandLabel(sha256.New, initialSecret, "server in", nil, sha256.Size)
|
|
serverKeys.init(tls.TLS_AES_128_GCM_SHA256, serverSecret)
|
|
if side == clientSide {
|
|
return fixedKeyPair{r: serverKeys, w: clientKeys}
|
|
} else {
|
|
return fixedKeyPair{w: serverKeys, r: clientKeys}
|
|
}
|
|
}
|
|
|
|
// checkCipherSuite returns an error if suite is not a supported cipher suite.
|
|
func checkCipherSuite(suite uint16) error {
|
|
switch suite {
|
|
case tls.TLS_AES_128_GCM_SHA256:
|
|
case tls.TLS_AES_256_GCM_SHA384:
|
|
case tls.TLS_CHACHA20_POLY1305_SHA256:
|
|
default:
|
|
return errors.New("invalid cipher suite")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func hashForSuite(suite uint16) (h crypto.Hash, keySize int) {
|
|
switch suite {
|
|
case tls.TLS_AES_128_GCM_SHA256:
|
|
return crypto.SHA256, 128 / 8
|
|
case tls.TLS_AES_256_GCM_SHA384:
|
|
return crypto.SHA384, 256 / 8
|
|
case tls.TLS_CHACHA20_POLY1305_SHA256:
|
|
return crypto.SHA256, chacha20.KeySize
|
|
default:
|
|
panic("BUG: unknown cipher suite")
|
|
}
|
|
}
|
|
|
|
// hkdfExpandLabel implements HKDF-Expand-Label from RFC 8446, Section 7.1.
|
|
//
|
|
// Copied from crypto/tls/key_schedule.go.
|
|
func hkdfExpandLabel(hash func() hash.Hash, secret []byte, label string, context []byte, length int) []byte {
|
|
var hkdfLabel cryptobyte.Builder
|
|
hkdfLabel.AddUint16(uint16(length))
|
|
hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
|
|
b.AddBytes([]byte("tls13 "))
|
|
b.AddBytes([]byte(label))
|
|
})
|
|
hkdfLabel.AddUint8LengthPrefixed(func(b *cryptobyte.Builder) {
|
|
b.AddBytes(context)
|
|
})
|
|
out := make([]byte, length)
|
|
n, err := hkdf.Expand(hash, secret, hkdfLabel.BytesOrPanic()).Read(out)
|
|
if err != nil || n != length {
|
|
panic("quic: HKDF-Expand-Label invocation failed unexpectedly")
|
|
}
|
|
return out
|
|
}
|